<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>“we don't believe the remaining questions to be a blocker towards accepting this issuance”<span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><br>Thank you, but what are the remaining questions? TSYS believes all outstanding questions have been responded to. Are there any remaining?<br><br><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><br>Dean<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> Ryan Sleevi [mailto:sleevi@google.com] <br><b>Sent:</b> Friday, July 22, 2016 1:09 PM<br><b>Subject:</b> Re: [cabfpub] Application for SHA-1 Issuance<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>On Fri, Jul 22, 2016 at 4:19 AM, Gervase Markham <<a href="mailto:gerv@mozilla.org" target="_blank">gerv@mozilla.org</a>> wrote:<o:p></o:p></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><p class=MsoNormal>I am moving house next week, and so cannot guarantee my ability to<br>participate in this discussion.<br><br>Mozilla approves the application from TSYS (that is to say, we will<br>accept a qualified BR audit from their CA where the qualifications<br>relate to this event) on the condition that the serial numbers of the<br>final certificates follow some documented strict construction process,<br>in broadly the manner PHB outlined, using a modern crypto hash algorithm<br>in the process of serial number generation, using an earlier form of the<br>cert as input. I believe this should be a sufficient stopgap to reassure<br>the public (who cannot see inside the CA's or TSYS's operations) that<br>collisions are not being attempted. Other CAs may want the process<br>nailed down; the above is intended to be vague enough to accommodate<br>whatever they decide.<br><br>We do not (although others may) require that TSYS reuse old keys, or<br>remove the random identifiers from the OU.<br><br>Dean indicated on yesterday's call that following this type of process<br>was possible for Symantec if approval from browsers was provided<br>quickly. This is an attempt to provide such approval with the necessary<br>speed.<o:p></o:p></p></blockquote><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>As with Gerv, our primary concern for the immediate issuance is the concern with the OU. Steps taken to remedy that - either the step suggested by Geoff or as proposed by Gerv - reasonably address this, in as much as they provide reasonable public assurance, above and beyond the countercryptanalysis, that there was limited opportunity for malfeasance, both in fact and appearances.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>While we appreciate TSYS's continued attention to the questions as we look for opportunities, as an industry forum, to improve outreach, education, and understanding about how these transitions have worked in practice, we don't believe the remaining questions to be a blocker towards accepting this issuance. We do hope they'll continue to assist in our understanding and improvement though.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Given the difficulty Symantec has had in following the process previously, we're more than willing to assist Symantec in the production of a tbsCertificate that meets the suggested changes by Gerv and Geoff, and incorporating in such feedback as that by Peter Bowen in <a href="https://cabforum.org/pipermail/public/2016-July/008055.html">https://cabforum.org/pipermail/public/2016-July/008055.html</a> - most notably, ensuring that the serial number is properly encoded (as a positive integer). This assistance is easier because the production of a tbsCertificate, to the scheme proposed (that is, using a rigid serial construction rather than a random), allows for such tbsCertificates to be produced without any form of CA ceremony, and can be produced on any machine, by any party, and in any security zone.<o:p></o:p></p></div></div></div></div></div></body></html>